EU Announces Guidelines to Standardize Cloud Computing Agreements


In an effort to meet one of the key objectives of the European Union's Cloud Computing Strategy - to develop model terms for cloud computing contracts, including service-level agreements - an industry working group that includes major cloud-computing suppliers such as Google, Microsoft, Amazon, and others has submitted guidelines governing Cloud Service Level Agreements (Cloud SLAs) to the European Commission. (For more information on the EU's Cloud Computing Strategy, please read our alert.)

Although the guidelines do not prescribe the content of Cloud SLAs, they do set forth an extensive list of terms - including definitions and descriptions - with the objective of standardizing definitions within the cloud computing industry. The guidelines acknowledge that some Cloud SLAs (particularly those involving large enterprises) may be negotiated individually, while others may be offered in boilerplate form that customers can accept or reject. In either situation, the guidelines are meant to provide consistency in terminology and metrics across agreements and across borders.

In addition to recommending that contracts be technology neutral, business-model neutral, and applicable to users across jurisdictions, the guidelines include a glossary of uniform principles and terms designed to allow customers to evaluate and compare SLAs more effectively. Among the contract terms covered in the guidelines are:

  • Service level objectives. These objectives relate to cloud computing performance, such as service availability, customer support, response time, storage capacity, and termination (ensuring that data is not deleted prematurely).
  • Security level objectives. These objectives seek to "improve both assurance and transparency" concerning such security measures as reliability (including backup/redundancy), encryption, access authentication, and security incident monitoring and reporting.
  • Data management service level objectives. These guidelines standardize terms relating to data classification, life cycle (when data is deleted), and portability.
  • Personal data protection service level objectives. Addressing situations in which the cloud service provider acts as a data processor on behalf of its customer, these objectives seek to ensure that personal data collected by the customer is managed (stored, retained, and potentially released) appropriately and in a manner consistent with applicable privacy regulations.

In its statement announcing the receipt of the guidelines, the European Commission indicated that next steps would include testing these guidelines with users, in particular SMEs, and submitting the guidelines for discussion by the European Commission's Expert Group on Cloud Computing Contracts as part of a larger discussion of other cloud-related activities - including the data protection Code of Conduct for cloud computing providers, which the Expert Group prepared and presented to the Article 29 Data Protection Working Party.

The guidelines will also be presented to the Cloud Computing Working Group of the ISO (the International Standards Organization) in order to present a European position to inform the ISO's effort to establish international standards on SLAs for cloud computing.

Although these guidelines are not yet mandatory, they do signal the EU's view that internationally enforced standards are critical to consumer trust and the ultimate success of cloud services, and that any entity - including those that are U.S.-based - will need to eventually adhere to those standards.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Loeb & Loeb LLP | Attorney Advertising

Written by:


Loeb & Loeb LLP on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.